All further communication will be done through the mailing list. Please keep checking your junk mail folder in case some messages might go there. We are also in the process of setting up a wiki for the length of the project to post updates, etc. Until then I will be updating my blog with the project details.

Monday, August 13, 2007

WASC has announced a new project WASSEC (Web Application Security Scanner Evaluation Criteria). Currently WASC is seeking volunteers from various sections of the community including penetration testers, scanner vendors, security researchers and also end users to contribute to the project.

A brief description of the project

The Web Application Security Evaluation Criteria is a set of guidelines to evaluate web application security scanners on their identification of web application vulnerabilities and its completeness. It will cover things like crawling, parsing, session handling, types of vulnerabilities and information about those vulnerabilities. The goal of this project is to evaluate the technical aspects of the web application security scanners and NOT the features provided by it.

Sunday, August 12, 2007

At the Mozilla Pyjama party during Blackhat, Me and Jeremiah met up with Bubba Gump and he shared with us an interesting story on how he was able to do something similar like Samy worm on another social networking site. His story just goes to show that there are so many other websites which are still getting hacked the same way but either have no clue or are in a denial mode. We asked him to share his story with others in the community too and if he can write it for us then I will post it on my blog. The site developers were already notified of the vulnerability and they have fixed it so I am posting this story on my blog. Here it goes

Awhile back I read a Newsweek article about a new social networking website called GoLoco.org. This site is designed for making car-pooling arrangements and is run by an environmentalist CEO named Robin Chase. The idea is to help the environment and save money on gas at the same time – an interesting concept.

After signing up for a free account on the GoLoco site, I couldn't help but play around with it a bit. I started by going to the Modify Profile page and injecting <> tags into various items in my profile to see what would happen. For the most part, any tag I injected would be properly HTML encoded before being echoed back onto the page. However, they forgot to lock down two of the fields in my profile. Upon further experimentation, I found that each field had a max length of 255 characters and could hold a persistent Cross-Site Script. Nice!

Although some very interesting feats could be accomplished with this vulnerability, I sat on this info for awhile – the Goloco site was new, with only about 1000 users at that time. There wasn't much glory to be had in creating another Samy worm on this site.

But two weeks later I received an email from Robin Chase. She laid down a challenge – the first Goloco user to exceed her in number of friends would win a free t-shirt. It was almost like she was asking to be XSSed!

I started by inserting some AJAX code into my profile that would make the person viewing it automatically POST a request to become my friend. In order to get more people to view my profile, I posted a trip from Boston to California. Most of the site's users are from Boston, so they would see this trip listed on their homepage upon logging in. Clicking on the Trip Details link would bring up my profile, which would cause the user to unknowingly make the friendship request.

I expected to start receiving lots of friendship request emails, but was disappointed at first. An average of just one or two requests came in per day, which reflected the low amount of traffic on this site and the fact that a user would have to click on my link out of a list of about 20 trips in order to be hit with the XSS. Clearly I needed to re-think my approach.

A little more exploration of the site led me to the breakthrough that I was hoping for. It turns out that the trip location names were also Cross-Site Scriptable, and the destination location name is what showed up on the homepage after a user logs in. This means that users no longer had to click on my link to get hit with the XSS – all they needed to do was log into the site and they'd immediately request to become my friend. I did not attempt to make the XSS payload wormable because I did not want to do anything that would cause damage to other peoples' profiles or trips.After this new, improved XSS was put in place, the friendship requests started pouring in at a rate of about 15 per day, which for this particular site was impressive. A nice, unexpected side-effect is that I would receive an email every time a user logged into the site. I quickly got to learn the usage habits of various people – for example, one of the employees of the site had a strange tendency to log in at 4:00 AM. I also experienced another unintended side-effect. The site had no controls in place to prevent duplicate friendship requests from the same person, so I began to get spammed with duplicate requests as the same user hit the homepage multiple times. This became annoying after awhile, so I modified my XSS to drop a cookie on the user's machine to track whether or not they had submitted a friendship request already – ah, much better!

While waiting for the friendship requests to come in, I explored the site a bit further, this time looking for interesting HTML comments. I discovered that the site's developers were displaying private communications between members in HTML comments. I was able to obtain lots of interesting info this way, including the names of all of the site's developers and CEO Robin Chase's cell phone number. This would come in handy later.

After three days, I had built up enough friendship requests to exceed Robin. And in fact, the last person to get hit with my XSS was none other than Robin Chase herself, who logged in bright and early at 6:45 AM. I removed the XSS, accepted all of the friendship requests that had queued up, and counted my friends – sure enough, I was ready to claim my prize.

Later that morning I called Robin and claimed my t-shirt. Interestingly, she didn't ask me how I obtained her cell phone number or how I had acquired so many friends so quickly. But she congratulated me and told me she'd send me the t-shirt.

Shortly after that, I got in touch with the people in charge of development for the site and told them about the security issues, which they quickly addressed. Today, Goloco is integrated with Facebook, so I suspect that it is a bit harder to hack than it used to be. And Robin, if you're reading this I just want to remind you that I'm still waiting for my t-shirt!

I came back from blackhat and defcon last Sunday. I was there for the entire 9 days (combined blackhat and defcon) and when i came back, I realized why people said 9 days of Vegas are toooo long. It was my first time to Vegas so I didn’t see it earlier but now i have learnt my lesson. :)

It had been a very enjoyable experience. Though the party really took off on Tuesday night when most of the people started to come in for briefings. I had dinner with Mozilla guys along with several other webappsec professionals. I was talking to Dan from Mozilla and to my surprise; he asked me “What kind of security features would you like to see in firefox”. They also had a discussion with RSnake, Jeremiah Grossman and I am sure with some other webappsec professionals too. I am impressed by firefox’s approach. They are reaching out to the webappsec community and asking for their support and advice in making their browser more secure. I think it’s a great start and I know they will get flooded with suggestions, most of which they won’t be able to include until the next decade but at least they are sincere and making an effort(or so it appears, we’ll find out soon enough).

I met with a lot of great guys from the webappsec community including from google, TiVo, verisign, iSECPartners, Outpost24, ebay, Breach, Aspect Security, Ounce Labs, and many more. Some of them I didn’t know before, some of them I had interacted with emails earlier and some of them I did a reflection on, but it’s great to meet them in person (RSnake, Ryan Barnett, Ivan Ristic, Alex Stamos, Robert Auger, Andrew Van der Stock, Jeff Williams, Dinis Cruz). I spent sometime with id from ha.ckers.org. He takes time in opening up but when he does, he is actually a very nice guy (that is only if you are not planning to take his laptop away from him).

I also got a chance to meet the ex-L0pht guys, now they are running their own company (SafeLight). Rob Cheyne (the guy who wrote LC4 and also the CEO of SafeLight) handed me his business card in a sleeve. Interesting, why is that? Actually the sleeve is a radio frequency blocking sleeve to protect your RF enabled credit cards from being stolen even when they are in safely tucked in your wallet.

Bubba Gump was another guy I can recall very well since he had a very interesting story to share which I will publish as a separate post as it is well worth the read.

The most hilarious presentation of Blackhat and Defcon award goes to Jeff Moss. Jeff Moss made a presentation titled “Cisco Gate” (his experience with the Cisco IOS flaw presentation fiasco). The content of-course was interesting since everyone wanted to know “behind the scenes” story but I think his content delivery was equally good. We could not stop laughing through the entire length of the presentation.

Last but not the least; the OWASP-WASC party was a huge success. There were over 350 people who came to the party. The feedback I got from several people was that it was the best party of Blackhat. Many thanks to Heather Cason of Breach Security, who did an excellent job in organizing the whole show. She also sent me the pictures of the party which you can see below.